CSRF Vulnerability in BuddyPress Activity Plus Plugin for WordPress
CVE-2015-9455

8.1HIGH

Key Information:

Vendor

Wordpress
Status
Buddypress-activity-plus
Vendor
CVE Published:
7 October 2019

What is CVE-2015-9455?

The BuddyPress Activity Plus plugin prior to version 1.6.2 for WordPress exhibits a Cross-Site Request Forgery (CSRF) vulnerability, which allows attackers to manipulate the wp-admin/admin-ajax.php endpoint. By exploiting the vulnerability via the bpfb_photos[] parameter in a bpfb_remove_temp_images action, unauthorized users can perform directory traversal, potentially leading to the deletion of arbitrary files. This vulnerability emphasizes the importance of securing Ajax endpoints and sanitizing user inputs within WordPress plugins.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://security.dxw.com/advisories/csrf-and-arbitrary-fi...
x_refsource_MISC
https://wordpress.org/plugins/buddypress-activity-plus/#d...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.